Partner Perspectives: Extend Visibility Without Expanding Your Team

Type carbonblack
Reporter Ryan Murphy
Modified 2018-08-21T19:16:14


The best partnerships seem destined from the start - Han Solo and Chewbacca, Mario and Luigi - even newer partners, like Groot and Rocket. The best partners combine their strengths to expand the opportunities available to them.

This is true of partnerships in cybersecurity (stay with us here).

Better Together: Carbon Black + Expel

You know endpoint detection and response (EDR) solutions enable you to detect more by providing visibility into events that occur on endpoints. These events can help identify unusual network connections, suspicious process relationships and potential credential theft. But more visibility means more data and alerts to look through and respond to - and your team is already drowning in data. Trying to sift through and prioritize a deluge of alerts to decide which ones need attention and which are false alarms is a time consuming task for security operations teams.

That’s where Expel comes in. Our integration with Carbon Black reduces the workload for your security operations team, increasing the value of your Carbon Black products. Expel operates your existing security products as part of a managed detection and response (MDR) service. To put it simply: We play really well with others - connecting your security technologies, like Carbon Black, with your network detection agents, like Palo Alto Networks, Darktrace and ProtectWise, with your SIEMs, such as Splunk, IBM QRadar and Sumo Logic.

How it Works

Our analysts monitor your Carbon Black implementations 24×7 and investigate suspicious activity. When our analysts find something unusual, they use the data Carbon Black collects to determine what happened; identifying other hosts involved and recommending next steps in plain English, so no time is lost to tech translation.

Because Carbon Black is constantly collecting process data in the background, our analysts can go back and query what occurred on an endpoint in your environment. According to one of our senior analysts, one of the best elements of working with customers using Carbon Black is “that it allows us to actually get on the box and pull back indicators that we identify through our investigation, and pull them back for further analysis while the box is still online.”

For example, an analyst recently investigated an alert one of our customers received from Carbon Black. The alert indicated a suspicious process relationship between Excel and PowerShell. It’s uncommon for Excel to spawn PowerShell, so our analyst started digging for answers. Because the customer has Cb Response as their EDR solution, we were able to pull process information, and our analyst confirmed the incident began with abuse of Microsoft Dynamic Data Exchange (DDE). The attacker used DDE to cause Microsoft Excel to download and execute a PowerShell payload that ultimately implanted a Cobalt Strike beacon. Once we identified where everything started, our analysts were able to trace the attacker’s lateral movement within the customer’s infrastructure using Cb Response.

As part of our service, Expel will deploy a set of custom watchlists to the Carbon Black server to ensure a wide range of detections. We’ve also built a number of custom integrations with Carbon Black’s platform and maintain our own detection feed that’s deployed to augment detections already built into Carbon Black. And because Expel is transparent, you can see exactly how we are using Carbon Black - showing you the precise role Carbon Black plays during your security operations and incident response processes.

What We Deliver

Transparency. Expel lets you see and use the same user interface as our analysts. You can see everything that Expel is doing and even collaborate with our analysts. Expel analysts are always online and happy to talk alerts - even at 2 a.m.

Resilience Recommendations. Expel remains valuable even when there are no alerts by recommending specific actions you can take to improve your security posture and prevent Groundhog Day alerts. Expel uses data and trends from your environment to create a business case for your security team to justify each recommendation.

Expel enables you to discover incidents your security tools send alerts about, but that get lost in the noise when there aren’t enough people available to respond. We help you learn the root cause of events so they can be fixed or even prevented. Expel acts as a force multiplier to your security team by surfacing the alerts that matter most, and clearly explaining what you should do about them.

To learn more, check out this quick video, which uses a Carbon Black example to illustrate how Expel works:

Click here to view the full video:

The post Partner Perspectives: Extend Visibility Without Expanding Your Team appeared first on Carbon Black.